TODO: Need mitigation description for "Include a vulnerable dependency" threat

Question

TODO: Need mitigation description for "Include a vulnerable dependency" threat

Opened this issue 2 months ago · 2 comments

Answer 1 · 2024-10-16T19:07:13.000Z

I think the answer to this will be mostly the same as (G). I'll wait until #1190 is merged before making a proposal.

Answer 2 · 2024-10-21T15:32:35.000Z

This starts with admission control over the full dependency graph, not just those explicitly mentioned in a project's dependencies.

If the dependency inclusion is not declarative then static code analysis might be required to even detect the inclusion of the vulnerable code. The risk of copy-paste inclusion of vulnerabilities, especially from bad sample code is significant.